[Smcwg-public] [External Sender] Updates to 3.2.4.1/4 relying on signature for personal vetting
Adriano Santoni
adriano.santoni at staff.aruba.it
Fri Aug 5 08:02:07 UTC 2022
Hello,
Regarding section 3.2.4.1 Attribute collection of individual identity,
item 4:
On the subject of reference frameworks for digital signatures, I believe
there is a problem that should be solved.
The AATL framework also includes digital signatures that are not
associated with a "personal certificate" (as required by §3.2.4.1) and
therefore, in my opinion, should not be accepted. I am referring in
particular to the DocuSign remote signature service in which the
signatures are (commonly) always made with the same key and relative
certificate whose Subject is the DocuSign company itself (and not the
person signing the document). I have not spent a lot of time
investigating the matter, but my understanding is that the link of the
DocuSign signature with the signer is just based on a previous email
exchange. An "ID Verification" step is a Premium Feature that the
average DocuSign user is not obliged to buy.
To plug this security hole, I recommend clarifying in the BR that
DocuSign signatures are only accepted (if ever) only when made with a
/personal certificate/ (i.e., not one issued to DocuSign, but rather to
Johh Smith, Arianna Garcia, François Bertrand, Hiroshi Nakamura, ecc.)
Regards
Adriano
Il 05/08/2022 00:06, Stephen Davidson via Smcwg-public ha scritto:
> NOTICE: Pay attention - external email - Sender is
> 010001826ae5b527-8ca45c40-e692-4c53-84fa-5296ec0f43f1-000000 at amazonses.com
>
>
>
>
> Hello:
>
> Certificate Issuer members of the SMCWG had noted a desire to expand
> the list of regimes of digital certificates that may be relied upon in
> personal validation. It was also suggested by a Certificate Consumer
> that criteria for evaluating these regimes be described.
>
> Based on our discussions, I have proposed some text in the draft as
> follows:
>
> https://github.com/cabforum/smime/commit/33ce560204eaed4162cb70c919bf9f86ffac90cc
>
> Thanks to Ashish Dhiman and to Eva Van Steenberge for the help!
>
> Regards, Stephen
>
>
> _______________________________________________
> Smcwg-public mailing list
> Smcwg-public at cabforum.org
> https://lists.cabforum.org/mailman/listinfo/smcwg-public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220805/1bf5739c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4557 bytes
Desc: Firma crittografica S/MIME
URL: <http://lists.cabforum.org/pipermail/smcwg-public/attachments/20220805/1bf5739c/attachment-0001.p7s>
More information about the Smcwg-public
mailing list